diff options
author | Pawel Wieczorek <p.wieczorek2@samsung.com> | 2020-03-18 12:38:30 +0100 |
---|---|---|
committer | Bartek Grzybowski <b.grzybowski@partner.samsung.com> | 2020-03-25 13:08:24 +0000 |
commit | 328bcfbce8d97a66b975ee45cd69b30cdb727aef (patch) | |
tree | 36fbb850dbca01e7bdfe09cbbc4e154a2fae3300 /test/security | |
parent | 8a7af5c45393636ab82ff1932b7d14224e449034 (diff) |
Add "expected failure" support to non-SSL NodePort scanner
This patch makes scanner compatible with its shell predecessor. The same
"expected failure" list format is used i.e.
# Comment line; will be ignored
SERVICE1 NODEPORT1
SERVICE2 NODEPORT2
Single space character is used as a field separator.
Issue-ID: SECCOM-261
Change-Id: Ieedd4e98a83ffe242c695133fdf7342e17efa9a2
Signed-off-by: Pawel Wieczorek <p.wieczorek2@samsung.com>
Diffstat (limited to 'test/security')
-rw-r--r-- | test/security/sslendpoints/README | 14 | ||||
-rw-r--r-- | test/security/sslendpoints/main.go | 50 |
2 files changed, 61 insertions, 3 deletions
diff --git a/test/security/sslendpoints/README b/test/security/sslendpoints/README index bf39f0148..ba21b12ea 100644 --- a/test/security/sslendpoints/README +++ b/test/security/sslendpoints/README @@ -14,6 +14,11 @@ Configuration ``-kubeconfig`` Optional unless ``$HOME`` is not set. Defaults to ``$HOME/.kube/config``. +``-xfail`` + Optional list of services with corresponding NodePorts which do not use SSL + tunnels. These ports are known as "expected failures" and will not be + checked. + Build (local) ~~~~~~~~~~~~~ @@ -70,7 +75,7 @@ Command (local) .. code-block:: shell - $ bin/sslendpoints [-kubeconfig KUBECONFIG] + $ bin/sslendpoints [-kubeconfig KUBECONFIG] [-xfail XFAIL] Command (Docker) ~~~~~~~~~~~~~~~~ @@ -83,6 +88,13 @@ Command (Docker) $ docker run --rm --volume $KUBECONFIG:/opt/config \ sslendpoints-build-img /bin/sslendpoints -kubeconfig /opt/config + $ docker run --rm \ + --volume $KUBECONFIG:/opt/config \ + --volume $XFAIL:/opt/xfail \ + sslendpoints-build-img /bin/sslendpoints \ + -kubeconfig /opt/config + -xfail /opt/xfail + Output ~~~~~~ diff --git a/test/security/sslendpoints/main.go b/test/security/sslendpoints/main.go index e5a76eb78..8c136d5c4 100644 --- a/test/security/sslendpoints/main.go +++ b/test/security/sslendpoints/main.go @@ -1,6 +1,7 @@ package main import ( + "encoding/csv" "flag" "log" "os" @@ -18,17 +19,47 @@ import ( const ( ipv4AddrType = "ipv4" + + xfailComma = ' ' + xfailComment = '#' + xfailFields = 2 +) + +var ( + kubeconfig *string + xfailName *string ) func main() { - var kubeconfig *string if home := os.Getenv("HOME"); home != "" { kubeconfig = flag.String("kubeconfig", filepath.Join(home, ".kube", "config"), "(optional) absolute path to the kubeconfig file") } else { kubeconfig = flag.String("kubeconfig", "", "absolute path to the kubeconfig file") } + xfailName = flag.String("xfail", "", "(optional) absolute path to the expected failures file") flag.Parse() + var xfails [][]string + if *xfailName != "" { + xfailFile, err := os.Open(*xfailName) + if err != nil { + log.Printf("Unable to open expected failures file: %v", err) + log.Println("All non-SSL NodePorts will be reported") + } + defer xfailFile.Close() + + r := csv.NewReader(xfailFile) + r.Comma = xfailComma + r.Comment = xfailComment + r.FieldsPerRecord = xfailFields + + xfails, err = r.ReadAll() + if err != nil { + log.Printf("Unable to read expected failures file: %v", err) + log.Println("All non-SSL NodePorts will be reported") + } + } + // use the current context in kubeconfig config, err := clientcmd.BuildConfigFromFlags("", *kubeconfig) if err != nil { @@ -67,7 +98,22 @@ func main() { os.Exit(0) } - // TODO: filter out expected failures here before running the scan + // filter out expected failures here before running the scan + for _, xfail := range xfails { + port, err := strconv.Atoi(xfail[1]) + if err != nil { + log.Printf("Unable to parse port expected to fail: %v", err) + continue + } + service, ok := nodeports[uint16(port)] + if !ok { + continue + } + if service != xfail[0] { + continue + } + delete(nodeports, uint16(port)) + } // extract ports for running the scan var ports []string |